Web Application Security: Are You Doing Enough?

While your network security team spends its time worrying about network-based attacks, the number of data breaches chalked up to Web applications continues to grow. Are you fighting yesterday's battles, too?

Many organizations are leaving their data vulnerable to theft because they spend too much of their security budgets on network security and too little on Web application security.

That's the conclusion of the "State of Application Security " survey carried out by the Ponemon Institute and published last month. The survey was sponsored by Imperva and WhiteHat Security, two California-based companies that sell Web application security solutions.

The survey says that of the top ten data breaches in 2009, 93 percent of the records were stolen as a result of attacks on Web applications and their databases, while only 7 percent of the data breaches were network related, according to Privacy Rights Clearinghouse data. But the report found that 43 percent of enterprise security budgets is allocated to network and host security measures such as firewalls, VPNs and IPS equipment, while just 18 percent is allocated to address the threat posed by insecure Web applications. "I guess it's analogous to saying you've got a problem with people breaking into your building through the windows, so you keep on buying stronger doors," said Brian Contos, chief security strategist at Imperva, commenting on the survey.

The implication is that although Web applications are highly vulnerable, many enterprises have yet to alter their security priorities to take them in to account, says Shlomo Kramer, CEO of Imperva. "The cyber threat landscape has shifted from bringing down networks to stealing data, and it's time to stop fighting yesterday's war," he said when the survey results were announced.

It is perhaps no more surprising that the majority of data is stolen from databases than that bank robbers tend to rob banks -- that is, after all, where the data is. But just as banks tend to take good security measures precisely because they have large amounts of cash, Kramer's point is that Web applications (and their databases) need more resources spent to beef up their security because today's hackers want data and vulnerabilities in Web applications offer them a way to get it.

Imperva and WhiteHat Security may have an interest in talking up the threats of Web applications and talking down the threat of network intrusion, but is Kramer's contention that blackhats are far less interested in breaking into corporate networks than they were in the past true?

That's a tricky question to answer, but if it is the case then it may simply be because breaking in to networks has become relatively hard - precisely because of the effort that has been made (and the money that has been spent) to secure them.

Web Applications Get a Big Portion of Attacks

Whatever the answer to this question, it remains the case that Web applications pose a threat to enterprise security - the SANS Institute rates Internet-facing Web sites that are vulnerable to attack as the second highest cyber-security risk to enterprises. It points out that "attacks against Web applications constitute more than 60 percent of the total attack attempts observed on the Internet." But the Institute highlights that the purpose of most of these attacks is not to steal the data that sits behind these Web applications. "These vulnerabilities are being exploited widely to convert trusted Web sites into malicious websites serving content that contains client-side exploits."

The number one cyber security threat to enterprises, according to SANS, is client-side software such as Adobe Flash and Reader that remains unpatched. Such software can be exploited "to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation."

Clearly, then, securing both your network and your Web applications should be key priorities. What this comes down to is a problem of resource allocation: if you spend too much of your security budget on your network, hackers will steal data via your Web applications, but if you spend too much on your Web applications, there won't be enough of your budget left to prevent them stealing data by breaking in to your network. It's as simple as that.

If you decide to allocate more of your security budget to Web application security, important steps to take (if you are not already doing so) include regular scanning for known vulnerabilities and coding errors using a specialized Web vulnerability scanner, or even full scale penetration testing.

These steps are only effective, it's important to remember, if they are accompanied by measures to ensure that developers fix any vulnerabilities that are discovered in a timely fashion. The Ponemon report recommends incentivizing developers because in many cases they don't consider fixing vulnerabilities to be as important as their other responsibilities, such as adding new features. It suggests holding developer teams responsible if they don't fix vulnerabilities in a reasonable space of time and recognizing and rewarding them when they do.

The report also recommends deploying shielding technologies such as Web application firewalls that can quickly be configured to protect against newly discovered vulnerabilities as an interim measure until the necessary patches or updates can be applied.